LKML Archive on
help / color / mirror / Atom feed
From: Peter Staubach <>
To: "J. Bruce Fields" <>
Cc: Chuck Lever <>,
	Linux Kernel Mailing List <>,,
	Andrew Morton <>,
	Trond Myklebust <>,
	linux-fsdevel <>
Subject: Re: [PATCH 0/3] enhanced ESTALE error handling
Date: Fri, 18 Jan 2008 14:12:35 -0500	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

J. Bruce Fields wrote:
> On Fri, Jan 18, 2008 at 01:12:03PM -0500, Peter Staubach wrote:
>> Chuck Lever wrote:
>>> On Jan 18, 2008, at 12:30 PM, Peter Staubach wrote:
>>>> I can probably imagine a situation where the pathname resolution
>>>> would never finish, but I am not sure that it could ever happen
>>>> in nature.
>>> Unless someone is doing something malicious.  Or if the server is  
>>> repeatedly returning ESTALE for some reason.
>> If the server is repeatedly returning ESTALE, then the pathname
>> resolution will fail to make progress and give up, return ENOENT
>> to the user level.
>> A malicious user on the network can cause so many other problems
>> than just something like this too.  But, in this case, the user
>> would have to predict why and when the client was issuing a
>> specific operation and know whether or not to return ESTALE.
>> This seems quite far fetched and quite unlikely to me.
> Any idea what the consequences would be in this case?  It at least
> shouldn't overflow the stack, or freeze the whole machine (because it
> spins indefinitely under some crucial lock), or panic, etc.  (If the one
> filesystem just becomes unusable--well, fine, what better can you hope
> for in the presence of a malicious server or network?)

Assuming that such a user could precisely and accurately predict
when to return ESTALE, the particular system call would just stay
in the kernel, sending out requests to the NFS server.

It wouldn't overflow the stack because the recovery is done by
looping and not by recursion and unless there is a bug that needs
to be fixed, all necessary resources are released before the
retries occur.  The machine wouldn't freeze because as soon as
the request is sent, the process blocks and some other process
can be scheduled.  The process should be interruptible, so even
it could be signaled to stop the activity.

It seems to me that mostly, the file system will become unusable,
but as Bruce points out, what do you expect in the presence of a
malicious entity?  If such are a concern, then measures such as
stronger security can be employed to prevent them from wreaking



  reply	other threads:[~2008-01-18 19:13 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-01-18 15:35 Peter Staubach
2008-01-18 15:46 ` J. Bruce Fields
2008-01-18 16:41 ` Chuck Lever
2008-01-18 16:55   ` Peter Staubach
2008-01-18 17:17     ` Chuck Lever
2008-01-18 17:30       ` Peter Staubach
2008-01-18 17:52         ` Chuck Lever
2008-01-18 18:12           ` Peter Staubach
2008-01-18 18:37             ` J. Bruce Fields
2008-01-18 19:12               ` Peter Staubach [this message]
2008-01-18 18:17         ` Chuck Lever
2008-02-01 20:57 ` [PATCH 0/3] enhanced ESTALE error handling (v2) Peter Staubach
2008-03-10 20:23   ` [PATCH 0/3] enhanced ESTALE error handling (v3) Peter Staubach
2008-03-10 22:42     ` Andreas Dilger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \
    --subject='Re: [PATCH 0/3] enhanced ESTALE error handling' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).